The Complexity of Monitoring Hyperproperties

We study the runtime verification of hyperproperties, expressed in the temporal logic HyperLTL, as a means to inspect a system with respect to security polices. Runtime monitors for hyperproperties analyze trace logs that are organized by common prefixes in the form of a tree-shaped Kripke structure, or are organized both by common prefixes and by common suffixes in the form of an acyclic Kripke structure. Unlike runtime verification techniques for trace properties, where the monitor tracks the state of the specification but usually does not need to store traces, a monitor for hyperproperties repeatedly model checks the growing Kripke structure. This calls for a rigorous complexity analysis of the model checking problem over tree-shaped and acyclic Kripke structures. We show that for trees, the complexity in the size of the Kripke structure is L-complete independently of the number of quantifier alternations in the HyperLTL formula. For acyclic Kripke structures, the complexity is PSPACE-complete (in the level of the polynomial hierarchy that corresponds to the number of quantifier alternations). The combined complexity in the size of the Kripke structure and the length of the HyperLTL formula is PSPACE-complete for both trees and acyclic Kripke structures, and is as low as NC for the relevant case of trees and alternation-free HyperLTL formulas. Thus, the size and shape of both the Kripke structure and the formula have significant impact on the complexity of the model checking problem.

[1]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[2]  Kousha Etessami,et al.  Counting quantifiers, successor relations, and logarithmic space , 1995, Proceedings of Structure in Complexity Theory. Tenth Annual IEEE Conference.

[3]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[4]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[5]  Bernd Finkbeiner,et al.  Deciding Hyperproperties , 2016, CONCUR.

[6]  Bernd Finkbeiner,et al.  EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties , 2017, CAV.

[7]  Bernd Finkbeiner,et al.  Weak Kripke Structures and LTL , 2011, CONCUR.

[8]  Lars Kuhtz,et al.  Model checking finite paths and trees , 2010 .

[9]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[10]  Thomas Lengauer,et al.  The Correlation between the Complexities of the Nonhierarchical and Hierarchical Versions of Graph Problems , 1987, Journal of computer and system sciences (Print).

[11]  Bernd Finkbeiner,et al.  LTL Path Checking Is Efficiently Parallelizable , 2009, ICALP.

[12]  Martin Leucker,et al.  Runtime Verification for LTL and TLTL , 2011, TSEM.

[13]  Bernd Finkbeiner,et al.  Verifying Security Policies in Multi-agent Workflows with Loops , 2017, CCS.

[14]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[15]  Insup Lee,et al.  Monitoring, Checking, and Steering of Real-Time Systems , 2002, Electron. Notes Theor. Comput. Sci..

[16]  Bernd Finkbeiner,et al.  Monitoring hyperproperties , 2019, Formal Methods Syst. Des..

[17]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[18]  Bernd Finkbeiner,et al.  RVHyper: A Runtime Verification Tool for Temporal Hyperproperties , 2018, TACAS.

[19]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[20]  Dimitra Giannakopoulou,et al.  Automata-based verification of temporal properties on running programs , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[21]  Borzoo Bonakdarpour,et al.  Runtime Verification of k-Safety Hyperproperties in HyperLTL , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[22]  Bernd Finkbeiner,et al.  Monitor Circuits for LTL with Bounded and Unbounded Future , 2009, RV.

[23]  Bernd Finkbeiner,et al.  Algorithms for Model Checking HyperLTL and HyperCTL ^* , 2015, CAV.

[24]  Umair Siddique,et al.  Rewriting-Based Runtime Verification for Alternation-Free HyperLTL , 2017, TACAS.

[25]  Markus N. Rabe A temporal logic approach to iInformation-flow control , 2016 .

[26]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.